30th september 2017 - sharepoint saturday · pdf file• computer science master’s...
TRANSCRIPT
30th September 2017Milan
Identity and Authentication options for
Office 365 / Azure AD in Hybrid InfrastructuresAlessandro AppianiFounder & CTO - Pulsar [email protected]@alexappiani
#SPSMilan
A Huge “Thank You!” To Our Sponsors …
In cooperation with
Alessandro Appiani - About me• 30+ years experience in IT Technologies and Solutions
• Computer Science Master’s Degree (full marks with honors) in 1989
• Founder of Italian Association for Artificial Intelligence in 1988
• Microsoft Certified since 1995
• Microsoft TechNet speaker & Train-the-trainer since 1996
• MVP, MCT, MCITP Windows+Exchange+Lync+Office365
• Microsoft Most Valuable Professional Skype for Business (Office Servers)
• Microsoft Windows Expert since version NT 3.51 (1995)
• Microsoft Exchange Expert since first product release (Exchange 4.0 - 1996)
• Microsoft Lync/Skype Expert since first product release (LCS 2003)
• Microsoft Office 365 Expert since first Cloud version (BPOS - 2009)
• Pulsar IT Founder & CTO
• technologies, strategy, digital transformation, advisory, ...
• Twitter: @AlexAppiani
ww
w.p
uls
arit.
net –
info
@puls
arit.
net
Skype for Business
Office Servers
ww
w.p
uls
arit.
net –
info
@puls
arit.
net
Design, Deploy, and SupportMicrosoft Solutions
Enterprise CollaborationOneDrive, Teams, SharePoint,
Skype, Exchange, Office 365 Apps
Telephony & Enterprise VoiceSkype for Business Telephony,
Microsoft's Phone System / Cloud PBX
Modern & Hybrid DataCenterAzure, Windows Server, Hyper-V, System Center
Windows 10 & Enterprise Mobility + SecurityPC + Device & Application Management
Secure Productive Enterprise Trusted environment for Smart Working
Microsoft Excellence since 1995
www.pulsarit.net
Agenda
• Identity & Directory basics• Azure Active Directory• Hybrid Identity
• Design• User Sign-In Options• Azure AD Connect
• Modern Authentication• Azure Identity Power
BASICSFundamentals and Terminology
Identity
• A (digital) identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organisation, application, or device. [1]
• ISO/IEC 24760-1 defines identity as "set of attributes related to an entity" [2]• The identity information makes each entity unique and different from each
other• Identity are usually stored in a repository (ie. a Directory)• From a security point of view each identity information in the repository
represents a Security Principal used to uniquely identify an entity (ie: User Account)
[1] Digital Identityhttps://en.wikipedia.org/wiki/Digital_identity
[2] ISO/IEC 24760-1:2011 Information technology -- Security techniques -- A framework for identity management --Part 1: Terminology and conceptshttps://www.iso.org/standard/57914.html
Authentication
• Authentication is a process for verifying the identity of something or someone
• Authentication relies on trust among process components• customs, passports, identity card, issuing organizations,
people, ...
• And on validity and integrity of credentials
Authorization
• Is the process to gain access to resources, usually with different rights for different identities
• Identity is verified thru authentication • Security administrator of resource define what
kind of rights a known entity has or what type of actions are permitted
IDENTITY & DIRECTORY
Identity in Microsoft World: Active
Directory
• Active Directory is a Directory Services• Previewed in 1999 and released in Windows 2000
• developed based on Microsoft Exchange implementation of X.500 Directory Services (Jet DB, Multi-master, ...) used since March 1996 (v4.0)
• Starting Windows Server 2008 other services were added• ie: Active Directory Federation Services
• On July 2012 Microsoft announced developer preview of Azure Active Directory (AAD)
• AAD is a multi-tenant, cloud-based, directory and identity management services
Evolving Active Directory
On-premises
Windows ServerActive Directory
Evolving Active Directory
On-premises
Windows ServerActive Directory
VPN
BYO
SaaSAzure
Cloud
Publiccloud
Customers
Partners
Evolving Active Directory
On-premises
Windows ServerActive Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Publiccloud
Customers
Partners
Customers
Evolving Active Directory
On-premises
Partners
Azure
Cloud
Publiccloud
Microsoft Azure Active Directory
BYO
Windows ServerActive Directory
Azure AD is key in Microsoft Identity
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
Customers
Partners
AZURE ACTIVE DIRECTORY
(AAD)The Office 365 Directory
Identity in Microsoft Clouds
• Office 365• started with his own directory “Organizational identity” (based on “hidden” underlying Azure AD)• 2013 tenant version introduced Organizational identity, Hybrid Models, Active Directory federation and
Sync with on-premises - preview 2012, GA March 2013• http://blogs.office.com/b/microsoft_office_365_blog/archive/2013/02/27/office-365-commercial-availability-
global-customers.aspx
• Azure• started with Microsoft ID (Live ID) and Application Identity only (managed by Developers)• IaaS introduced Active Directory integration - preview July 2012, GA Nov 2012
• http://blogs.msdn.com/b/windowsazure/archive/2012/07/12/announcing-the-developer-preview-of-windows-azure-active-directory.aspx
• http://blogs.msdn.com/b/windowsazure/archive/2012/11/28/windows-azure-now-supports-federation-with-windows-server-active-directory.aspx
• Active Directory enhancements: Multi-AD Management, Multi-Factor Authentication, ... - Sept 2013• http://weblogs.asp.net/scottgu/archive/2013/09/26/windows-azure-new-virtual-machine-active-directory-multi-
factor-auth-storage-web-site-and-billing-improvements.aspx
• Azure AD is now the backplane for Identity & Security of all Azure Platform
Azure AD - Identity and access management
for the cloud
Gartner Magic Quadrantfor Access Management 2017
Azure Active Directory• Microsoft “Identity Management as a
Service (IDaaS)” for organizations.
• Millions of independent identity systems controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended to manage across many clouds.
• Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B).
33,000Enterprise Mobility +
Security | Azure AD
Premium enterprise
customers
>110kthird-party
applications used
with Azure AD
each month
>1.3
billion authentications every
day on Azure AD
More than
750 Muser accounts on
Azure AD
Azure AD
Directories
>10 M
85% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
2016 usage data
Azure is the Microsoft Active Directory
investments target for new features*
* in agree with “Cloud-first” proposition ☺
HYBRID IDENTITY DESIGN
Hybrid Identity concept
• More than one Identity and Directory involved• usually (one or more) Directory on-prem (ie: AD Forests) and (one)
Directory in cloud (Azure AD Tenant)
• We want to "share" and use the same Identity (ie: User Account and Password), and not have two distinct ones
• Identities (set of attributes) have to be replicated among Dirs• two way sync is possible ("Writeback" from Cloud to OnPrem)
• Identity - Authentication - Authorization• different concepts and processes• Azure AD Connect does not manage Authentication
(user sign-in)
Components• Azure AD Connect
• a tool to provision and configure hybrid identity components
• Azure AD Connect Sync Engine• the replication engine between
AD and Azure AD (and viceversa)• sync identities and attributes
between directories
• Sign-On• the authentication process
required to access (Cloud) resources
Hybrid Identity Sign-in Options
• Syncronized• Password hash synchronization (PHS)
• Pass-through• Pass-Through Authentication (PTA)
• Federated• Active Directory Federation Services (ADFS)• Third Party (Ping, Centrify, Okta, OneLogin, ...)
Choosing the user sign-in methodI need to PHS PTA* ADFS
Sync new user, contact, and group accounts in on-premises Active Directory to the cloud automatically. x x x
Set up my tenant for Office 365 hybrid scenarios. x x xEnable my users to sign in and access cloud services by using their on-premises password. x x x
Implement single sign-on by using corporate credentials. x* x* x
Ensure that no passwords are stored in the cloud. x x
Enable on-premises multi-factor authentication solutions. x
* Pass-Through Authentication and Seamless Sign-On Option are both currently in Preview
Sign-in curve
Complexity
Val
ue
Cloud only Accounts
AAD Connect+ AD FS
AAD Connect+ PTA and SSO
AAD Connect+ PHS and SSO
AAD ConnectCloud Accounts
AAD Connect+ PHS
not yet in GA (preview)
UNDERSTANDING
USER SIGN-IN OPTIONS
Password Hash Sync (PHS)• The easiest way to Hybrid
identity• The original clear text
password is never accessed nor replicated (hash does)
• The same password is used to authenticate both on-prem and cloud
How does it
work?• Sync Agent uses
DC Replicationprotocol toextract MD4 Password Hash
• MD4 hash is converted, packed, re-encrypted, and sent to Azure AD
• During AAD Login MD4 Hash is generated from user password, converted with same process, and then matched
Security consideration
• Password hashes replicated to Cloud• No "sync" on management side
• Distinct and autonomous security policies• Password expiration• ...
• User prompted for password• no true SSO password often stored locally as a result• seamless SSO in preview
Azure AD Seamless Single Sign-On
• A new option (in preview) for PHS and PTA to enable Single Sign-On for corporate (Domain Joined) devices
• Utilizes existing Active Directory infrastructure• Inherit support for multiple regions• Inherit support for finding the closest DC• Based on Kerberos clients (Windows 7+)• No DR/HA plan outside of existing AD plans
• No additional servers or infrastructure required on premises• Extend Integrated Windows Authentication (IWA) to Azure AD
(using Kerberos and a Domain Joined Computer account -AZUREADSSOACC)
Seamless SSO
• It is supported on web browser-based clients and Office clients that support modern authentication on platforms and browsers capable of Kerberos authentication:
* additional configuration required
How does it work?
• Azure AD urls must be added to Intranet zone to allow Kerberos ticket forwarding (https://autologon.microsoftazuread-sso.com e https://aadg.windows.net.nsatc.net )
Pass-Through Authentication (PTA)
• Enables on-premises passwords validation without complexity
PTA - Deployment
• Provides similar services to Federation• Forms based authentication for non-domain joined/outside of corporate network users (PTA)• SSO for domain joined users on corporate network (using Seamless SSO option)
• No need for dedicated servers• PTA can be installed on existing servers or DC’s
• High Availability without load balancers• PTA automatically uses all available connectors no need to load balance
• No DMZ• All connections are outbound • No unauthenticated end points on the internet
• Less to manage ongoing• Simple DR, place connectors where needed• No certificates to manage
PTA - How does it work?
PTA - Setup & Security
Identity synchronization
User attributes are synchronized using Azure
AD Connect; authentication is passed back
through federation and completed against
Windows Server Active Directory
Active Directory Federation to on premises (ADFS)
AD FS
IT Pro / Admin Experience
Azure AD Connect
AD FS and AD FS Proxy installed on premises
Credentials not stored in Azure AD
End User Experience
All authentication to on premises AD
Seamless single sign on from domain joined
PC’s
Self Service Password Reset of AD password
with Azure AD Premium
ADFS can be implemented on Azure
What AD FS offers that PTA with SSO
doesn’t• Passwords are always in your control boundary - i.e. don’t pass
through the cloud• Support for smartcard / certificate authentication• Support for 3rd Party MFA providers and integration with On-
Premises Applications• Fine tune authentication behavior for Intranet• On-premises conditional access rules based on issuance policies,
such as• Exchange protocols (e.g. pop, imap etc)• Inside network claim
• Azure MFA as primary also for On-Premises authentication
Death to Passwords w/ AD FS 2016
(Extranet)
Hybrid Options Recap - feature detail
AAD CONNECT & SYNC
What is Azure AD Connect?• Primary tool to onboard to
Azure AD • Express Settings gets
customers connected in a matter of minutes
• Provides install & configuration of password sync/ADFS for sign-in
• All future investments will only be available with Azure AD Connect
Azure AD Connect and Writeback
• Password Writeback• Pairs with one of the most popular features of Azure AD Premium (SSPR)• Ability to reset passwords on-prem (password sync and federation
supported)
• Group Writeback• Office 365 groups written back as DGs• Improves productivity in Hybrid scenarios
• Device Writeback• Supports ability to do conditional access in ADFS based on registered
devices
• Exchange Hybrid Writeback
MODERN AUTHENTICATION
What is Modern Authentication
• Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms (iOS, OS X, Android, Windows)
• Enables sign-in features such as• Multi-Factor Authentication (MFA)• SAML-based third-party Identity Providers with Office client applications• Smart card and certificate-based authentication
• Enables Conditional Access and Identity-based Security• Removes the need for Outlook to use the basic authentication
protocol• It's based on OAuth
Modern Authentication
• History• Twitter, Ma.gnolia, Google• “Secure delegated access" • OAuth is an open standard• Auth 2.0 2012
• Why Enterprises like it?• Authenticated against own environment• Token-based, No Password
Modern Authentication Client SupportOffice client application
Windows Mac OS X Windows Phone iOS Android
Office clientsAvailable now for Office 2013 and Office 2016.
Available now for Office 2016.Also available for OneNote 2014.
Available now.
Word, Excel and PowerPoint are available now for both phones and tablets.
Word, Excel and PowerPoint are available now for both phones and tablets.
Skype for Business (formerly Lync)
Included in Office client.
Available now.
Available now.CBA and other modern features not yet supported.
Available now*. Available now*.
OutlookIncluded in Office client.
Available now. Coming soon. Available now. Available now.
OneDrive for Business
Included in Office client.
Available now.Available now for Windows Phone 8.1.
OneDrive for Business is available now.
OneDrive for Business is available now.
Legacy clients
There are no plans for Office 2010 or Office 2007 to support ADAL-based authentication.
There are no plans for Office for Mac 2011 to support ADAL-based authentication.
There are no plans for Office on Windows Phone 7 to support ADAL-based authentication.
There are no plans to enable older Outlook iOS clients.
There are no plans to enable older Outlook Android clients.
*Not recommended for split domain configuration that includes both Skype for Business Online and Skype for Business Server
DEMO
AZURE IDENTITY POWERLeveraging Azure AD as Primary Identity Backplane
The time has come
• If you enabled Hybrid identity now it's time to go further• Azure AD as Primary Backplane brings lot of value
• Self-Service Password Reset• Multi-Factor authentication
• for on-prem apps too with Windows Server 2016
• Teams and Office 365 Groups• Conditional Access• Identity-based Security & Protection• ...
Manage your account, apps, and groups
Company-branded, personalized application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
Making the lives of users easierIntegrated end user experiences across devices
Self-service password reset
Application access requests
Integrated Office 365 app launching
Self-Service Passwords Management
Windows ServerActive Directory
Azure AD Connect Writeback Agent
Multi-tiered security model:
• All traffic is over HTTPS
• Encryption with tenant-specific key
• Tenant-specific Service Bus namespace for pending requests
• Integrated anti-hammering, throttling, and message expiry
• Real-time notifications sent to users and admins
Works with federation, password sync, or cloud-only user accounts. Enforces all your rich on-prem password policies
Users can update their AD passwords or unlock their AD accounts in real-time –no waiting for sync
No poking holes in your corporate firewall requires – all connections occur against port 443 outbound only
Tenant-specific Service Bus Namespace
PCNS to Connected Apps
Message expiry policies
Password Reset / Change Portal
Throttling / Anti-hammering
Real-time notifications of
resets
Public cloud
On-premisesand hosted
Azure AD Password Management
Azure Multi-Factor Authentication
(MFA)• MFA is Microsoft's two-step verification
solution• It works by requiring any two or
more of the following verificationmethods: • Something you know (typically a password)• Something you have (a trusted device that is
not easily duplicated, like a phone)• Something you are (biometrics)
Methods available for two-step
verificationVerification Method Description
Phone callA call is placed to a user’s registered phone. The user enters a PIN if necessary then presses the # key.
Text messageA text message is sent to a user’s mobile phone with a six-digit code. The user enters this code on the sign-in page.
Mobile app notificationA verification request is sent to a user’s smart phone. The user enters a PIN if necessary then selects Verify on the mobile app.
Mobile app verification code
The mobile app, which is running on a user’s smart phone, displays a verification code that changes every 30 seconds. The user finds the most recent code and enters it on the sign-in page.
Third-party OATH tokensAzure Multi-Factor Authentication Server can be configured to accept third-party verification methods.
Converges the existing Azure Authenticator and all consumer Authenticator applications.
MFA for any account, enterprise or consumer and 3rd party : Push Notifications/OTP
Device Registration (workplace join)
SSO to native mobile apps - Certificate-based SSO
Future: Sign in to a device (Windows Hello), app, or website without a password
Microsoft AuthenticatorA mobile authenticator application for all platforms
Identity-driven security
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
MFA
Risk
DEMO
QUESTIONS&
ANSWERS
Thank You!Please fill the feedback form!
Need more info?• Interested in Innovation Scenarios with Microsoft
Technologies?
Contact us!
www.pulsarit.net Grazie!
ww
w.p
uls
arit.
net –
info
@puls
arit.
net
30th September 2017Milan